The following comments are from Steve Northcutt.
>
>From Stephen.Northcutt@bmdo.osd.mil Thu Jul 1 11:49:33 1999
>Return-Path: <Stephen.Northcutt@bmdo.osd.mil>
>Received: from hqbmdofs03.bmdo.osd.mil (firewall.bmdo.osd.mil [134.152.2.194] (may be forged))
> by linus.mitre.org (8.8.7/8.8.7) with ESMTP id LAA26228
> for <coley@linus.mitre.org>; Thu, 1 Jul 1999 11:49:32 -0400 (EDT)
>Received: from hqbmdofs03.bmdo.osd.mil (root@localhost)
> by hqbmdofs03.bmdo.osd.mil with ESMTP id JAA02331
> for <coley@linus.mitre.org>; Thu, 1 Jul 1999 09:33:05 -0400 (EDT)
>Received: from hqbmdofs01.bmdo.osd.mil (hqbmdofs01.bmdo.osd.mil [172.20.1.1])
> by hqbmdofs03.bmdo.osd.mil with ESMTP id JAA02327
> for <coley@linus.mitre.org>; Thu, 1 Jul 1999 09:33:05 -0400 (EDT)
>Received: by HQBMDOFS01 with Internet Mail Service (5.5.2448.0)
> id <N4S6V5G7>; Thu, 1 Jul 1999 09:36:25 -0400
>Message-ID: <A0CCBD88DC7ED1118BBD00005A4441D403C1AFF4@HQBMDOFS01>
>From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil>
>To: "'Steven M. Christey'" <coley@linus.mitre.org>
>Subject: RE: Survey: Use of Same Attack/Same Codebase content decision in
> VDB's
>Date: Thu, 1 Jul 1999 09:36:24 -0400
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2448.0)
>Content-Type: text/plain;
> charset="iso-8859-1"
>
><I'd prefer to delay deciding on the Same Attack/Same Codebase
><decisions until I hear from an IDS person.
>
>Actually, I have done a little intrusion detection system development.
>
>>From a pragmatic IDS perspective you are keying on three things, source
>information, dest information, signature information.
>
>CVE would be concerned with the latter. Most IDSes are very primitive
>and rely on exact signature matches. However, at the price of false
>positives they often match on substrings. Can two completely different
>attacks have the same signature? Certainly. Can we track a codebase
>by its network footprint? Sometimes.
>
>
>Vulnerabilities are the gateways by which exploits are made manifest.
>A network based IDS can't (usually) detect the vulnerability, it detects
>the signature of the exploit in transit. Now lets bring it home.
>
>Because the signature matching is so poor on most intrusion detection
>systems, if you are going to be sensitive to IDSes, you probably need
>to individually enumerate the vulnerabities since they will often have
>a different signature. You do NOT want to give IDSes a reason to do
>partial matches! For instance two commercial systems alert on phf? instead
>of phf? and cat (as in cat /etc/passwd). That causes a lot of false
>positives and gets the filter turned off in short order.
>
>If you find this helpful, feel free to share with the group. S.
>